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wherein 

the address translation unit further has: 

means for adding an address translation rule established on a per 
sending device basis to the database unit in response to a request for initiating 
5 communication sent from a terminal on the global network or a terminal on a 
private network; and 

means for deleting the added address translation rule from the 
database unit when a predetermined criterion for ending communication is 
satisfied. 

10 8. The address translation apparatus according to Claim 7, 

comprising: 

an authentication unit which performs authentication in response to 
a request for initiating communication from a terminal on the global network, 
wherein: 

15 the database unites further records user information used by the 

authentication unit to perform authentication; and 

the address translation unit adds the address translation rule to the 
database unit in response to a request for initiating communication from a 
terminal on the global network only if the authentication succeeds. 

20 9. The address translation apparatus according to Claim 7, 

wherein the address translation unit adds the address translation rule to the 
database unit in response to a request for initiating communication from a 
terminal on the global network only if an authentication sewer which 
performs authentication requests the addition. 

25 10. (Amended) An authentication server which permits access to 

the address translation apparatus according to Claim 9, comprising: 

an interface unit which provides communication with a terminal on 
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the global network and the address translation apparatus; 

an authentication unit which performs authentication in response to 
a request for permission to access the address translation apparatus from a 
terminal on the global network; 
5 a control unit having: 

means for requesting the address translation apparatus to add an 
address translation rule for a packet sent from a terminal on the global 
network if authentication at the authentication unit succeeds; and 

means for requesting the address translation apparatus to delete the 
10 added address translation rule when a predetermined criterion for ending 
communication is satisfied; and 

a database unit which records user information used by the 
authentication unit to perform authentication. 

11. A firewall apparatus which allows a packet from a global 
15 network external to the firewall to pass through to a private network internal 
to the firewall apparatus if the packet meets an acceptance condition set in a 
database unit, comprising: 

a WAN interface unit which provides communication with the 
global network; 

20 a LAN interface unit which provides communication with the 

private network; 

an access control unit having means for controlling access from the 
global network to the private network in accordance with an access control 
rule established on a per sending device basis or on a per sending network 
25 basis; 

an authentication unit which performs authentication in response to 
a request for access permission from the global network; and 



-56- 

a database unit which records the access control rule and user 
information used by the authentication unit to perform authentication. 

12. The firewall apparatus according to Claim 1 1, wherein: 

the access control unit further has means for adding an access 
5 control rule established on a per sending device basis or on a per sending 
network basis to the database unit if authentication at the authentication unit 
succeeds and an access control rule for a request for access permission from a 
device on the global network is not recorded in the database unit; and 

means for deleting the added access control rule from the database 
10 unit when a predetermined criterion for ending communication is satisfied. 

13. The firewall apparatus according to Claim 12, wherein the 
access control unit further has: 

means for, if a request for new access permission is provided from a 
device on the global network that is using an established secure session during 
15 the duration of the secure session, sending notification seeking confirmation 
of the request to the device on the global network by using the secure session; 
and 

means for rejecting a new access regardless of the access control 
rule if denial of the request is returned from the device on the global network. 
20 14. The firewall apparatus according to any of Claims 11 to 13, 

wherein the access control unit further has: 

means for monitoring the status of communication; and 
means for notifying the device on the global network of an anomaly 
in communication if a predetermined criterion for communication anomaly is 
25 satisfied. 

15. (Amended) The relay apparatus according to Claim 1, 
comprising: 
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the access control rule and the address translation rule have a 
condition with the IP address of the sending device or the IP address of the 
sending network. 

16. (Amended) The relay apparatus according to Claim 15, 
5 comprising: 

an authentication unit which performs authentication in response to 
a request for access permission sent from a terminal on the global network, 
wherein: 

the database unit further records user information used by the 
10 authentication unit to perform authentication; 

the access control unit further has: 

means for adding an access control rule established on a per sending 
device basis or a per sending network basis to the database unit if the 
authentication succeeds; and 
15 means for deleting the added access control rule from the database 

unit when a predetermined criterion for ending communication is satisfied; 
and 

the address translation unit further has: 

means for adding an address translation rule established on a per 
20 sending device basis to the database unit if the authentication succeeds; and 

means for deleting the added address translation rule from the 
database unit when a predetermined criterion for ending communication is 
satisfied. 

17. (Amended) The address translation apparatus according to 
25 Claim 6, comprising: 

the address translation rule has a condition with the IP address of the 
sending device or the IP address of the sending network. 
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18. (Amended) The address translation apparatus according to 
Claim 17, wherein 

the address translation unit further has: 

means for adding an address translation rule established on a per 
5 sending device basis to the database unit in response to a request for initiating 
communication sent from a terminal on the global network or a terminal on a 
private network; and 

means for deleting the added address translation rule from the 
database unit when a predetermined criterion for ending communication is 
10 satisfied. 

19. (Amended) The firewall apparatus according to Claim 11, 
comprising: 

the access control rule has a condition with the IP address of the 
sending device or the IP address of the sending network. 
15 20. (Amended) The firewall apparatus according to Claim 19, 

wherein: 

the access control unit further has means for adding an access 
control rule established on a per sending device basis or on a per sending 
network basis to the database unit if authentication at the authentication unit 
20 succeeds and an access control rule for a request for access permission from a 
device on the global network is not recorded in the database unit; and 

means for deleting the added access control rule from the database 
unit when a predetermined criterion for ending communication is satisfied. 

21. (Amended) An address translation method for a terminal on a 
25 private network that does not have an address on a global network to perform 
communication through the global network, comprising: 

recording an address translation rule established on a par sending 
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device basis in a database unit beforehand; 

when a packet from the global network is received by a WAN 
interface unit, 

translating, by an address translation unit, a destination address in 
5 accordance with the address translation rule; and 

transferring, by a LAN interface unit, the packet having the 
translated address to the private network; 

when a packet from the private network is received by a LAN 
interface unit, 

10 translating, by the address translation unit, a source address in 

accordance with the address translation rule; and 

transferring, by the WAN interface unit, the packet having the 
translated address to the global network. 

22. (Amended) An address translation method for a terminal on a 
15 private network that does not have an address on a global network to perform 
communication through the global network, comprising: 

recording an address translation rule established on a per sending 
device basis in a database unit beforehand; 

when a packet from the global network is received by a WAN 
20 interface unit, 

performing authentication in an authentication unit and; 
if the authentication succeeds, checking, by the address translation 
unit, the database unit to see whether or not an address translation rule that 
matches source information and destination information of the packet is 
25 stored in the database unit, and 

if a matching address translation rule is found in the database unit, 
translating the address of the packet in accordance with the address translation 
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rule; 

if a matching address translation rule is not found in the database 
unit, adding an address translation rule to the database unit and translating the 
address of the packet in accordance with the added address translation rule; 
5 and 

transferring, by a LAN interface unit, the packet having the 
translated address to the private network; 

when a packet from the private network is received by the LAN 
interface unit; 

10 checking, by the address translation unit, the database unit to see 

whether or not an address translation rule that matches source information and 
destination information of the packet is recorded in the database unit, and 

if a matching address translation rule is found in the database unit, 
translating the address of the packet in accordance with the address translation 

15 rule; 

if a matching address translation rule is not found in the database 
unit, adding an address translation rule to the database unit and translating the 
address of the packet in accordance with the added address translation rule; 
and 

20 transferring by the WAN interface unit the packet having the 

translated address to the global network; and 

if there is an address translation rule added by the address 
translation unit, deleting the address translation rule from the database unit 
when a predetermined criterion for ending communication is satisfied. 

25 23. (Added) The address translation method according to Claim 

22, wherein, instead of performing authentication in the authentication unit, 
determination is made that authentication is successful when a request is 
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received from an authentication server which performs authentication of a 
terminal on the global network. 

24. (Added) An access control method for allowing a packet from 
a global network external to a firewall to pass through to a private network 
5 internal to the firewall if the packet meets an access control rule set in a 
database unit, comprising: 

recording an access control rule established on per a sending device 
basis or on a per sending network basis in a database unit beforehand; and 

when a connection request from the global network is received by a 
10 WAN interface unit, checking, by an access control unit, the database unit to 
see whether or not an access control rule that matches the connection request 
is recorded in the database unit; and 

if the access control rule is found in the database unit, permitting 
communication. 

15 25. (Added) An access control method for allowing a packet from 

a global network external to a firewall to pass through to a private network 
internal to the firewall if the packet meets an access control rule set in a 
database unit, comprising: 

recording an access control rule established on a per sending device 
20 basis or on a per sending network basis in a database unit beforehand; and 

when a connection request from the global network is received by a 
WAN interface unit, performing authentication in an authentication unit; and 

if the authentication succeeds, checking, by an access control unit, 
the database unit to see whether or not an access control rule that matches the 
25 connection request is recorded in the database unit; and 

if a matching access control rule is found in the database unit, 
permitting the communication; 
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if a matching access control rule is not found in the database unit, 
adding an access control rule established on a sending device basis or on a 
sending network basis to the database unit and permitting the communication; 

when a packet from the private network is received by a LAN 
5 interface unit, 

checking, by the access control unit, the database unit to see 
whether or not an access control rule that matches the connection request is 
recorded in the database unit; and 

if a matching access control rule is found in the database unit, 
10 permitting communication; 

if a matching access control rule is not found in the database unit, 
adding an access control rule established on a sending device basis to the 
database unit and permitting the communication; and 

if there is an access control rule added by the access control unit, 
15 deleting the access control rule from the database unit when a predetermined 
criterion for ending communication is satisfied. 

26. (Added) The access control method according to Claim 25, 
instead of performing authentication in the authentication unit, determination 
is made that authentication is successful when a request is received from an 

20 authentication server which performs authentication of a terminal on the 
global network. 

27. (Added) The access control method according to any of 
Claims 24 to 26, wherein: 

the communication status of a established secure session is 
25 monitored during the secure session; and 

if a predetermined criterion is met, the device on the global network 
that is using the established secure session is notified of occurrence of 
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28. (Added) The access control method according to any of 
Claims 24 to 26, wherein: 

if a new connection request from a terminal on the global network 
5 that has established a secure session is received by the WAN interface unit 
during the duration of the secure session, the information on the connection 
request is notified to the terminal on the global network that has the 
established secure session; and 

if a denial of the request is returned from the device, rejecting the 
10 connection regardless of the access control rule recorded in the database unit. 



